What's running on your laptop?
With the Shrew Soft VPN client (ike and ide-gtgui on ubuntu) packages,
you *might* get an IPSec connection going, but NAT on your laptop/remote
end will likely trip things up. I would recommend steering clear of IPSec.
OpenVPN is the VPN of choice for road warriors. On the home/server end,
I use IPCop. It's a full featured firewall distro that contains OpenVPN
(and IPSec) as well as a slew of other features. It will run nicely on
an old P-III system, with as little as 128M of RAM and a 1G HDD. Find an
old desktop system that's going to be scrapped, throw a 2nd nic in it,
and you're ready to roll. You'll need a switch behind it for your
LAN/Green subnet, but those are dirt cheap as well.
--
-Eric 'shubes'
On 06/24/2012 01:21 PM, Mark Phillips wrote:
> Stephen,
>
> Thanks....there are tons of options on the device. But I read that I
> need a vpn server on my LAN.....other posts say no.....Most of the
> information I found in forums is several years old, so I thought someone
> with more experience than me could point me to a better manual. I read
> this http://www.debian-administration.org/articles/489, but again it is
> over 5 years old, so perhaps there is a better solution?
>
> This is the manual page from the BEFSX41.....I am not completely sure
> which options to use. Plus, I assume I may need something running on my
> laptop - OpenVPN? Do I need a VPN server on my LAN, or something else,
> to be able to login to my different machines?
>
> Mark
>
> */VPN/**/Passthrough/*
>
> This Router supports IPSec, PPTP, and PPPoE Passthrough. You can select
> either*Enable*or*Disable*for these options.
>
> ------------------------------------------------------------------------
>
> */VPN/*
>
> *Select Tunnel Entry*- Select the tunnels number you want to set up.
>
> *Delete*- click this to remove any entries made for this tunnel you
> selected.
>
> *Summary*- Click this button to display the status of all the tunnels.
>
> *IPSec VPN Tunnel*- Select*Enabled*to create a tunnel or*Disabled*to
> close the tunnel.
>
> *Tunnel Name*- Once the tunnel is enabled, enter an arbitrary name for
> the tunnel you are about to create.
>
> *Local Secure Group*
>
> This allows you to grant local computer access to this tunnel.
>
> Subnet This will allow all computers on the local subnet to access the
> tunnel. Enter the IP Address and Mask to allow access to the tunnel.
> IP Addr. This only allows the local computer with the specified IP
> address. Enter the IP address you want to allow access to the tunnel.
> IP Range This allows a range of local computers to access the tunnel.
> Enter the IP address range allowed to access the tunnel.
>
> * Remote Secure Group*
>
> This allows you grant remote computers access to this tunnel.
>
> Subnet This will allow all computers on the remote subnet to access the
> tunnel. Enter the IP Address and Mask to allow access to the tunnel.
> IP Addr. This only allows the remote computer with the specified IP
> address. Enter the IP address you want to allow access to the tunnel.
> IP Range This allows a range of remote computers to access the tunnel.
> Enter the IP address range allowed to access the tunnel.
> Host When this is selected, the settings will be the same as the Remote
> Security Gateway.
> Any This option will allow any IP address from a remote location to
> access this tunnel.
>
> * Remote Secure Gateway*
>
> This sets the remote end of the VPN tunnel. You can either specify the
> IP address, Domain, or Any.
>
> IP Addr. Enter the IP address of the remote tunnel you will connect.
> Domain This option lets you enter the fully qualified domain name. If
> you do not have an IP address, you have an option to enter the domain of
> the tunnel you are connecting to.
> Any This will will allow any tunnel connection to be established.
>
> *Encryption*
>
> DES Data Encryption Standard (DES) is a type of encryption for this VPN
> tunnel. If you select this option, make sure the other end of the tunnel
> uses the same encryption type.
> 3DES Triple Data Encryption Standard (3DES) is a stronger type of
> encryption for this VPN Tunnel. If you select this option, make sure the
> other end of the tunnel uses the same encryption type.
> Disable This option will not encrypt for this tunnel.
>
> *Authentication*
>
> MD5 Message-Digest Algorithm (MD5)- Generates 128-bit message digest
> based on the input. If you select this option, make sure the other end
> of the tunnel uses the same authentication type.
> SHA Secure Hash Algorithm (SHA)- Generates 160-bit message digest based
> on the input. If you select this option, make sure the other end of the
> tunnel uses the same authentication type.
> Disabled This option will not authenticate for this tunnel.
>
> *Key Management*
>
> In order for any encryption to occur, the two ends of the tunnel must
> agree on the type of encryption. This is done by sharing a "key" to
> encrypt code. You can select*Auto (IKE)*or*Manual*.
>
> *Automatic Key Management*
>
> PFS Perfect Forward Secrecy (PFS) ensures that the initial key exchange
> and IKE proposal are secure. This must be the same for both end of the
> tunnel.
> Pre-shared Key Enter a series of number and letters that will be used as
> your key. This must be the same for both end of the tunnel.
> Key Lifetime Enter a number of seconds for the life of the key.After the
> key lifetime expires, a new code will be generated. This much be the
> same for both end of the tunnel.
>
> *Manual Key Management*
>
> Encryption key Enter a series of letters or numbers to generate an
> encryption key. This must be the same for both end of the tunnel.
> Authentication Key Enter a series of letters or numbers to generate an
> authentication key.This must be the same for both end of the tunnel.
> Inbound SPI Enter a series of letter or numbers to generate the Inbound
> SPI. This must match the outbound SPI on the other end of the tunnel.
> Outbound SPI Enter a series of letter or numbers to generate the
> outbound SPI. This must match the inbound SPI on the other end of the
> tunnel.
>
> *Status*- This will shows if you are connected or disconnected from the
> other end of the VPN tunnel.
>
> *Connect/Disconnect*- This button will connect or disconnect the other
> end of the VPN tunnel.
>
> *View Log*- This will show you the VPN activity when connecting and
> disconnecting.
>
> Advanced Settings
>
> Phase 1 is used to create a Security Association (SA), often called the
> IKE SA. After Phase 1 is completed, Phase 2 is used to create one or
> more IPSec SAs, which are then used to key IPSec sessions.
>
> Operation Mode
>
> Main This is for normal operation and is more secure.
> Aggressive This is faster and less secure.
> Username Some require username to establish a VPN connection.
>
> Encryption Select the length of the key used to encrypt/decrypt ESP
> packets. There are two choices: DES and 3DES. 3DES is recommended for
> security.
> Authentication Select the method used to authenticate ESP packets. There
> are two choices: MD5 and SHA. SHA is recommended for security.
> Group There are two Diffie-Hellman Groups to choice from: 768-bit and
> 1024-bit. Diffie-Hellman refers to a cryptographic technique that uses
> public and private keys for encryption and decryption.
> Key Lifetime Enter a number of seconds for the life of the key.After the
> key lifetime expires, a new code will be generated. This much be the
> same for both end of the tunnel.
>
> *Phase 2*
>
> Group There are two Diffie-Hellman Groups to choice from: 768-bit and
> 1024-bit. Diffie-Hellman refers to a cryptographic technique that uses
> public and private keys for encryption and decryption.
> Key Lifetime Enter a number of seconds for the life of the key.After the
> key lifetime expires, a new code will be generated. This much be the
> same for both end of the tunnel.
>
> Other Setting
>
> NetBIOS broadcast Check this to enable NetBIOS traffic to pass-through
> the VPN tunnel.
> Anti-replay Check this to enable the Anti-reply protection. this feature
> keeps track of sequence numbers and packet arrival, ensuring security at
> the IP packet-level.
> Keep-Alive Check this to re-establish VPN tunnel connection whenever it
> is dropped. Once the tunnel is initialized, this feature will keep the
> tunnel connected.
> If IKE failed more than x Times, block this unauthorized IP for y
> seconds. Check this box to block unauthorized IP addresses. Complete the
> on-screen sentence to specify how many times IKE must fail before
> blocking that unauthorized IP address for a length of time that you
> specify (in seconds).
>
>
>
> On Sun, Jun 24, 2012 at 1:02 PM, Stephen <cryptworks@gmail.com
> <mailto:cryptworks@gmail.com>> wrote:
>
> Rtfm?
>
> It really depends on what your options are in the vpn device are.
>
> On Jun 24, 2012 1:00 PM, "Mark Phillips" <mark@phillipsmarketing.biz
> <mailto:mark@phillipsmarketing.biz>> wrote:
>
> I need to take my laptop on several road trips, and I need to
> connect back to my home office LAN - all Debian machines. I am
> on COX cable with a BEFSX41 router. The BEFSX41 has a VPN option
> that I have never used. What do I need to add to my laptop
> (Debian) to talk to my home office LAN securely (ie through a
> VPN) using my BEFSX41? Obviously, I am a complete nube when it
> comes to setting up VPN access to my LAN. I have googled for
> some recommendations, but I have not found a good reference to
> follow.
>
> Thanks,
>
> Mark
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> PLUG-discuss@lists.plug.phoenix.az.us
> <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)